+2014-11-07 Mark Wielaard <mjw@redhat.com>
+
+ * elf_begin.c (file_read_elf): Correct sh_size check.
+ * elf_getdata.c (__libelf_set_rawdata_wrlock): Check for unsigned
+ overflow.
+
2014-09-10 Petr Machata <pmachata@redhat.com>
* elf_begin (read_unmmaped_file): Call __libelf_seterrno if the
elf->state.elf32.scns.data[cnt].shdr.e32 =
&elf->state.elf32.shdr[cnt];
if (likely (elf->state.elf32.shdr[cnt].sh_offset < maxsize)
- && likely (maxsize - elf->state.elf32.shdr[cnt].sh_offset
- <= elf->state.elf32.shdr[cnt].sh_size))
+ && likely (elf->state.elf32.shdr[cnt].sh_size
+ <= maxsize - elf->state.elf32.shdr[cnt].sh_offset))
elf->state.elf32.scns.data[cnt].rawdata_base =
elf->state.elf32.scns.data[cnt].data_base =
((char *) map_address + offset
elf->state.elf64.scns.data[cnt].shdr.e64 =
&elf->state.elf64.shdr[cnt];
if (likely (elf->state.elf64.shdr[cnt].sh_offset < maxsize)
- && likely (maxsize - elf->state.elf64.shdr[cnt].sh_offset
- <= elf->state.elf64.shdr[cnt].sh_size))
+ && likely (elf->state.elf64.shdr[cnt].sh_size
+ <= maxsize - elf->state.elf64.shdr[cnt].sh_offset))
elf->state.elf64.scns.data[cnt].rawdata_base =
elf->state.elf64.scns.data[cnt].data_base =
((char *) map_address + offset
if (elf->map_address != NULL)
{
/* First see whether the information in the section header is
- valid and it does not ask for too much. */
- if (unlikely (offset + size > elf->maximum_size))
+ valid and it does not ask for too much. Check for unsigned
+ overflow. */
+ if (unlikely (offset + size > elf->maximum_size
+ || (offset + size + elf->maximum_size
+ < elf->maximum_size)))
{
/* Something is wrong. */
__libelf_seterrno (ELF_E_INVALID_SECTION_HEADER);
projects / thirdparty / elfutils.git / commitdiff
